Published

Today the Internet was dominated (at least in Europe) by two main topics1:

The first topic was the fallout of a legal debate. The European Court of Justice decided to rule in favor of a “right to be forgotten” regarding search engines. A Spanish gentleman had, after unsuccessfully trying to get a Spanish newspaper to unpublish an older story about the bankruptcy of a company he had owned, sued Google to remove all pointers to that still existing article from its index. The court claimed that a person’s right to privacy would in general trump all other potential rights (such as Google’s freedom of expression to link to an undisputedly true article). Washington Post has a more detailed post on this case. I have also written about the hazards of the “right to be forgotten” a few times in the past so I’m not gonna repeat myself.

The second important story today had more of a technical spin: Mozilla, the company developing the popular standards compliant and open source web browser Firefox announced that they would implement the DRM2 standard that the W3C proposed. DRM means that a content provider can decide what you, the user can do with the content they made available to you: Maybe you can only watch it on one specific device or you may not save a copy or you can only read it once. It’s about giving a content provider control about the use of data that they released into the wild. The supporters of civil liberties and the open web from the Electronic Frontier Foundation (EFF) were not exactly happy lamenting “It’s official: the last holdout for the open web has fallen”

What do these stories have to do with each other?

Both deal with control. The DRM scheme Mozilla adopted (following the commercial browser vendors such as Apple, Google and Microsoft) is supposed to define a standardized way for content providers to control the use of data.3 The EU court order is supposed to give European people the legal tools to control their public image in our digital age.

That made me wonder. Why do so many privacy and civil rights organizations condemn technical DRM with such fury? Let’s do a quick thought experiment.

Let’s assume that the DRM would actually work flawlessly. The code of the DRM module – while not being open source – would have been audited by trusted experts and would be safe for the user to run. So now we have the infrastructure to actually enforce the legal rights of the content providers: If they only want you to view their movie Thursdays between 8 and 11 PM that’s all you can do. But if we defined the DRM standard properly we as individuals could use that infrastructure as well! We could upload a picture to Facebook and hardwire into it that people can only see it once. Or that they cannot download it to their machines. We can attach that kind of rights management to the data we send out to a government agency or to amazon when buying a bunch of stuff. We do gain real, tangible control over our digital representation.

Privacy in its interpretation as the right to control what happens with the data you emit into the world is structurally very similar to the kind of copyright control that the movie studios, music publishers or software companies want: It’s about enforcing patterns of behavior with data no longer under your direct control.

Having understood this it seems strange to me that NGOs and entities fighting for the right of people to control their digital image do not actually demand standardized DRM. There is always the issue of the closed source blob that people have to run on their machines that right now never is audited properly and therefore is much more of a security risk than a potential asset. Also the standard as it is right now4 doesn’t seem to make it simple for people to actually enforce their own rights, define their own restrictions. But all those issues sound a lot like implementation details, like bugs in the first release of the specification.

We have reached somewhat of a paradox. We demand for the individual to be able to enforce its rights even when that means to hide things that are actually legal to publish (by making them invisible to the big search engines). But when other entities try the same we can’t cry foul fast enough.

The rights of the individual (and of other legal entities for that matter even though I find treating companies as people ludicrous) do always clash with the rights of other individuals. My right to express myself clashes with other people’s right to privacy. There is no way to fully express all those rights, we have to balance them against each other constantly. But there also is no simple hierarchy of individual rights. Privacy isn’t the superright that some people claim it to be and it shouldn’t be. Even if the EU court of justice seems to believe so.

The EFF and Sony might really have more goals in common than they think. If I was the EFF that would seriously make me think.

Admittedly by breaking one of Mozilla’s promises: While the programming interface to the DRM software module is open source, the DRM module itself isn’t and cannot be to make it harder for people wanting to get around the DRM. [↩]

keep in mind that I am not a member of the W3C or an expert in that matter [↩]